1 00:00:00,000 --> 00:00:02,639 afternoon everyone right onto the the 2 00:00:02,639 --> 00:00:06,049 real final stretch for this afternoon 3 00:00:06,049 --> 00:00:11,880 just one last reminder so at the end of 4 00:00:11,880 --> 00:00:13,820 the at the conference the hotel is 5 00:00:13,820 --> 00:00:16,289 arranged for an extra number of taxis to 6 00:00:16,289 --> 00:00:17,940 be ready and wedding for all of those of 7 00:00:17,940 --> 00:00:19,680 you that need to disappear off to the 8 00:00:19,680 --> 00:00:21,480 airport and fly after after the 9 00:00:21,480 --> 00:00:24,330 conferences completes now at this point 10 00:00:24,330 --> 00:00:27,949 in time I'd like to introduce sushi 11 00:00:27,949 --> 00:00:30,869 he'll be talking about the hacking team 12 00:00:30,869 --> 00:00:33,300 and Gama international in business to 13 00:00:33,300 --> 00:00:35,270 government malware over to you surgeon 14 00:00:35,270 --> 00:00:39,450 well hello my name is Sergio Goliath and 15 00:00:39,450 --> 00:00:42,660 I'm trying to set up my timer to be 16 00:00:42,660 --> 00:00:46,730 right on time just give me a second okay 17 00:00:46,730 --> 00:00:49,379 so my name is George Illawarra if I'm 18 00:00:49,379 --> 00:00:51,629 the malware expert the Kaspersky Lab so 19 00:00:51,629 --> 00:00:54,180 my job title means that I'm researcher 20 00:00:54,180 --> 00:00:56,309 developer inventor and right now and 21 00:00:56,309 --> 00:00:58,230 public speaker so you know that there 22 00:00:58,230 --> 00:01:00,329 are several stories about the government 23 00:01:00,329 --> 00:01:02,940 malware for example Germany in China but 24 00:01:02,940 --> 00:01:05,220 I'm going to talk about particular about 25 00:01:05,220 --> 00:01:06,780 the two cases and actually with the 26 00:01:06,780 --> 00:01:08,760 hacking team and the Gama international 27 00:01:08,760 --> 00:01:11,010 I think that some of you already know 28 00:01:11,010 --> 00:01:12,990 the cases which I'm going to talk about 29 00:01:12,990 --> 00:01:15,960 but just to just quickly remind you and 30 00:01:15,960 --> 00:01:22,020 to make you feel how house bad to fight 31 00:01:22,020 --> 00:01:24,210 with this kind of malware I want to show 32 00:01:24,210 --> 00:01:29,009 you just one video you have new 33 00:01:29,009 --> 00:01:31,090 challenges today 34 00:01:31,090 --> 00:01:33,560 sensitive data is transmitted over 35 00:01:33,560 --> 00:01:37,220 encrypted channels often the information 36 00:01:37,220 --> 00:01:40,550 you want is not transmitted at all your 37 00:01:40,550 --> 00:01:43,190 target may be outside your monitoring 38 00:01:43,190 --> 00:01:47,330 domain is passive monitoring enough you 39 00:01:47,330 --> 00:01:50,810 need more you want to look through your 40 00:01:50,810 --> 00:01:55,100 targets eyes you have to hack your 41 00:01:55,100 --> 00:02:02,390 target you have to hit many different 42 00:02:02,390 --> 00:02:05,170 platforms 43 00:02:06,000 --> 00:02:09,250 you have to overcome encryption and 44 00:02:09,250 --> 00:02:18,910 capture relevant data being stealth and 45 00:02:18,910 --> 00:02:21,780 untraceable 46 00:02:23,549 --> 00:02:32,290 deployed all over your country exactly 47 00:02:32,290 --> 00:02:41,069 what we do in control system Galileo 48 00:02:41,700 --> 00:02:43,980 the hacking suite for governmental 49 00:02:43,980 --> 00:02:46,940 interception 50 00:02:48,480 --> 00:02:57,209 rely on us so this is gives you just an 51 00:02:57,209 --> 00:02:58,920 example what we are going to talk about 52 00:02:58,920 --> 00:03:02,099 and personname me this story started 53 00:03:02,099 --> 00:03:04,650 with some letter that will receive 24 of 54 00:03:04,650 --> 00:03:07,260 July the last year that percentage a lot 55 00:03:07,260 --> 00:03:09,569 of security companies that contains the 56 00:03:09,569 --> 00:03:11,910 chart fire with their Mac malware inside 57 00:03:11,910 --> 00:03:14,069 it so right now we know that this case 58 00:03:14,069 --> 00:03:16,290 was connected with the Moroccan case 59 00:03:16,290 --> 00:03:18,780 where the journalist from Morocco was 60 00:03:18,780 --> 00:03:21,360 attacked by this malware and of course 61 00:03:21,360 --> 00:03:23,519 it was a lot of buzz because in the 62 00:03:23,519 --> 00:03:24,959 media because he's in journalists and 63 00:03:24,959 --> 00:03:26,730 it's really bad idea to attack the 64 00:03:26,730 --> 00:03:29,579 journalists so he's the case and when I 65 00:03:29,579 --> 00:03:31,560 talk about that political and you know 66 00:03:31,560 --> 00:03:34,950 social questions about the lawful 67 00:03:34,950 --> 00:03:37,500 interception we I cannot mention his 68 00:03:37,500 --> 00:03:41,579 name his name is mr. Morgan here he 69 00:03:41,579 --> 00:03:44,040 works for the Citizen lab and he working 70 00:03:44,040 --> 00:03:46,650 in Google X security researcher so he 71 00:03:46,650 --> 00:03:49,049 got you know skills he got knowledge and 72 00:03:49,049 --> 00:03:51,799 you know he gets their source of 73 00:03:51,799 --> 00:03:54,120 information so a lot of people are 74 00:03:54,120 --> 00:03:56,010 trusting him and are sending him the 75 00:03:56,010 --> 00:03:59,010 images of their laptops the samples and 76 00:03:59,010 --> 00:04:02,670 he can you know directly access to the 77 00:04:02,670 --> 00:04:04,590 victims who can share with him the 78 00:04:04,590 --> 00:04:05,280 information 79 00:04:05,280 --> 00:04:08,310 well I not have the sources so I started 80 00:04:08,310 --> 00:04:09,900 to analyze this malware as well as 81 00:04:09,900 --> 00:04:12,359 regularly doing with their you know with 82 00:04:12,359 --> 00:04:14,370 the Zeus the Stuxnet and all those other 83 00:04:14,370 --> 00:04:17,209 stuff so I started to analyze it like a 84 00:04:17,209 --> 00:04:19,620 classic malware so the first of all I 85 00:04:19,620 --> 00:04:21,630 needed there proves that this sample 86 00:04:21,630 --> 00:04:24,360 this binary was really developed by the 87 00:04:24,360 --> 00:04:26,669 hacking team but you know no but no law 88 00:04:26,669 --> 00:04:28,919 enforcement will give me the computer 89 00:04:28,919 --> 00:04:30,930 for the forensic analysis of the 90 00:04:30,930 --> 00:04:32,610 developer love hiking team so I need 91 00:04:32,610 --> 00:04:34,800 some evidence so the evidence was like 92 00:04:34,800 --> 00:04:37,380 so the first one was obvious in all 93 00:04:37,380 --> 00:04:38,789 materials of the hacking team they're 94 00:04:38,789 --> 00:04:42,360 using their RSS I got letters to 95 00:04:42,360 --> 00:04:44,490 describe their functionality then we've 96 00:04:44,490 --> 00:04:46,349 got the same functionality in the same 97 00:04:46,349 --> 00:04:49,110 latest in the binaries then it was the 98 00:04:49,110 --> 00:04:51,090 export which is part this is available 99 00:04:51,090 --> 00:04:53,370 on the virus topple that then also 100 00:04:53,370 --> 00:04:56,909 payloads from the hacking team subdomain 101 00:04:56,909 --> 00:04:59,450 and the last one that 102 00:04:59,450 --> 00:05:01,910 in the Sun version of the Trojan the 103 00:05:01,910 --> 00:05:04,670 path where the source quartz was located 104 00:05:04,670 --> 00:05:08,090 was in the name for the username greed 105 00:05:08,090 --> 00:05:11,450 and suddenly guida is the name of the 106 00:05:11,450 --> 00:05:13,760 senior developer at the hacking team so 107 00:05:13,760 --> 00:05:15,770 well you know I don't have the you know 108 00:05:15,770 --> 00:05:17,840 proofs for the course that this malware 109 00:05:17,840 --> 00:05:20,000 was developed by hacking team but as a 110 00:05:20,000 --> 00:05:21,890 searcher this information is really 111 00:05:21,890 --> 00:05:26,420 enough for me so what can I do so we 112 00:05:26,420 --> 00:05:28,250 started to analyzes the functions of the 113 00:05:28,250 --> 00:05:31,790 samples and we need you know information 114 00:05:31,790 --> 00:05:33,350 from the published sources and no big 115 00:05:33,350 --> 00:05:36,110 leaks there are some documents about the 116 00:05:36,110 --> 00:05:38,360 functions and how the hacking team is 117 00:05:38,360 --> 00:05:40,130 propagating my wiring I was describing 118 00:05:40,130 --> 00:05:42,350 and the same functions were located in 119 00:05:42,350 --> 00:05:44,690 the binary so screenshots in record 120 00:05:44,690 --> 00:05:48,440 audio making the video from the victims 121 00:05:48,440 --> 00:05:50,830 computer and so on but you know the 122 00:05:50,830 --> 00:05:52,880 actually the were several other 123 00:05:52,880 --> 00:05:54,020 interesting things that wouldn't 124 00:05:54,020 --> 00:05:57,260 describe for first of all it was this 125 00:05:57,260 --> 00:05:58,850 there was a self replication mechanism 126 00:05:58,850 --> 00:06:02,180 so for example in Russia if the judge 127 00:06:02,180 --> 00:06:05,480 gives the law enforcement you know right 128 00:06:05,480 --> 00:06:08,450 to spy for someone judge will never 129 00:06:08,450 --> 00:06:10,490 never never allow the law enforcement to 130 00:06:10,490 --> 00:06:12,530 for example monitor all the you know 131 00:06:12,530 --> 00:06:15,020 random people and the friends of the of 132 00:06:15,020 --> 00:06:17,930 the suspects but malware you know allows 133 00:06:17,930 --> 00:06:20,360 law enforcement to you know replicates 134 00:06:20,360 --> 00:06:23,180 and in fact any computer with this flash 135 00:06:23,180 --> 00:06:24,950 drive then it's got the infection of 136 00:06:24,950 --> 00:06:26,990 virtual machines it can work with the 137 00:06:26,990 --> 00:06:29,690 mobile platforms then is got the built 138 00:06:29,690 --> 00:06:31,850 to set up date installation drivers and 139 00:06:31,850 --> 00:06:34,700 usually the samples are sign it my my 140 00:06:34,700 --> 00:06:38,420 you know authorities so now the the 141 00:06:38,420 --> 00:06:40,010 fourth and the fifth 142 00:06:40,010 --> 00:06:42,800 you know layer is really really 143 00:06:42,800 --> 00:06:44,900 important because the worst scenario of 144 00:06:44,900 --> 00:06:48,980 using the law enforcement tool is the 145 00:06:48,980 --> 00:06:51,830 case when the law enforcement the 146 00:06:51,830 --> 00:06:54,410 officer for example in some country it's 147 00:06:54,410 --> 00:06:56,690 possibility can install the malware 148 00:06:56,690 --> 00:07:00,110 inside the machine then updated this 149 00:07:00,110 --> 00:07:02,210 malware with additional code and this 150 00:07:02,210 --> 00:07:03,710 additional code will download some 151 00:07:03,710 --> 00:07:05,960 forbidden content from the internet like 152 00:07:05,960 --> 00:07:08,420 a child porn on the computer and then 153 00:07:08,420 --> 00:07:10,810 this code will be you know self deleted 154 00:07:10,810 --> 00:07:13,210 after that law enforcement scan clock 155 00:07:13,210 --> 00:07:17,130 the door and said like yeah guilty and 156 00:07:17,130 --> 00:07:22,389 the guy will have no no no nothing to do 157 00:07:22,389 --> 00:07:23,860 with it because there will be no 158 00:07:23,860 --> 00:07:25,990 evidence that the malware was existing 159 00:07:25,990 --> 00:07:29,169 on his computer so the other way is the 160 00:07:29,169 --> 00:07:31,690 how it's propagating we got the several 161 00:07:31,690 --> 00:07:33,970 documents and described the physical 162 00:07:33,970 --> 00:07:37,900 access then we have the remote methods 163 00:07:37,900 --> 00:07:41,500 for installation social social 164 00:07:41,500 --> 00:07:46,020 engineering the self update like 165 00:07:46,020 --> 00:07:49,210 subsonic jars like in Moroccan case then 166 00:07:49,210 --> 00:07:52,180 we learned that were lots of for example 167 00:07:52,180 --> 00:07:55,240 attachments with the file name flesh of 168 00:07:55,240 --> 00:07:57,250 data to see and then we started to see 169 00:07:57,250 --> 00:08:01,000 the exploits well I was you know 170 00:08:01,000 --> 00:08:03,610 searching in our antivirus collection 171 00:08:03,610 --> 00:08:05,860 for their samples that was actually used 172 00:08:05,860 --> 00:08:08,949 to install the smell way and you know 173 00:08:08,949 --> 00:08:13,210 for example the the idea was that for 174 00:08:13,210 --> 00:08:15,759 example this sample was detected in June 175 00:08:15,759 --> 00:08:19,930 and the vulnerability was the scored in 176 00:08:19,930 --> 00:08:22,479 September so I could just compare with 177 00:08:22,479 --> 00:08:26,020 this date and I see that for example 178 00:08:26,020 --> 00:08:28,810 whooping was like the most actually 179 00:08:28,810 --> 00:08:31,630 publisher of the exploits and the last 180 00:08:31,630 --> 00:08:33,520 one was described discovered by me so 181 00:08:33,520 --> 00:08:36,099 wise was lovely lucky I passed this zero 182 00:08:36,099 --> 00:08:38,440 data Adobe unfortunately I don't be 183 00:08:38,440 --> 00:08:42,370 right now have more interesting stuff to 184 00:08:42,370 --> 00:08:45,459 deal with but anyway there's the zero 185 00:08:45,459 --> 00:08:48,339 that was discovered and this zero day 186 00:08:48,339 --> 00:08:50,140 was you know mentioned now the be case 187 00:08:50,140 --> 00:08:53,079 it's with was the case when this 188 00:08:53,079 --> 00:08:55,660 exploits and this malware was founded in 189 00:08:55,660 --> 00:08:58,690 the US but the C&C server was located in 190 00:08:58,690 --> 00:09:01,690 other country and you know this is a 191 00:09:01,690 --> 00:09:03,459 real big problem for the you know 192 00:09:03,459 --> 00:09:05,290 international cooperation between law 193 00:09:05,290 --> 00:09:07,000 enforcement because it's not allowed for 194 00:09:07,000 --> 00:09:11,079 example the FBI to to monitor citizens 195 00:09:11,079 --> 00:09:13,390 in Russia and the same time before the 196 00:09:13,390 --> 00:09:15,279 fees be you know we got no power in the 197 00:09:15,279 --> 00:09:18,040 US so the you know the malware is cross 198 00:09:18,040 --> 00:09:20,589 boarded and here's the an example of how 199 00:09:20,589 --> 00:09:22,720 they smell a can act the other borders 200 00:09:22,720 --> 00:09:26,060 and so the the name of the slightest 201 00:09:26,060 --> 00:09:27,830 Frisby spy or is it the hacking team 202 00:09:27,830 --> 00:09:29,750 malware well I don't know guys who 203 00:09:29,750 --> 00:09:32,390 decided to call this malware FSB because 204 00:09:32,390 --> 00:09:33,860 the if is being you know got no 205 00:09:33,860 --> 00:09:36,650 connection with the hacking team and we 206 00:09:36,650 --> 00:09:38,450 had a lot of fight between the 207 00:09:38,450 --> 00:09:40,010 researchers who was analyzing the 208 00:09:40,010 --> 00:09:44,060 samples to prove that the FSB spy is the 209 00:09:44,060 --> 00:09:47,350 just a code reuse of Arceus malware so 210 00:09:47,350 --> 00:09:49,670 if we talk about the countries let's 211 00:09:49,670 --> 00:09:53,660 like see the map so well we didn't make 212 00:09:53,660 --> 00:09:54,410 this special 213 00:09:54,410 --> 00:09:55,850 you know detection for the hacking team 214 00:09:55,850 --> 00:09:57,770 malware because we get a lot of 215 00:09:57,770 --> 00:09:59,810 automation system that detecting a lot 216 00:09:59,810 --> 00:10:02,150 of malware and this automatic system 217 00:10:02,150 --> 00:10:04,340 really do not care about the source of 218 00:10:04,340 --> 00:10:06,530 the malware so I just collect the old 219 00:10:06,530 --> 00:10:09,410 verdict and place it on the map and the 220 00:10:09,410 --> 00:10:11,950 map we see the Mexico is the most 221 00:10:11,950 --> 00:10:14,960 infected country by this malware and 222 00:10:14,960 --> 00:10:16,760 please remember this country I will 223 00:10:16,760 --> 00:10:23,690 describe it the cases in future but if 224 00:10:23,690 --> 00:10:25,910 you need you know the more accurate data 225 00:10:25,910 --> 00:10:28,610 not from the Kaspersky Lab you maybe you 226 00:10:28,610 --> 00:10:32,240 should use this data the fingerprint so 227 00:10:32,240 --> 00:10:35,480 the citizen lab Morgan have discovered 228 00:10:35,480 --> 00:10:38,390 the c2 fingerprint for searching the 229 00:10:38,390 --> 00:10:40,550 servers of the finfisher so I've died 230 00:10:40,550 --> 00:10:43,910 the same so he is the request so this is 231 00:10:43,910 --> 00:10:46,430 like specific names of the files and you 232 00:10:46,430 --> 00:10:49,150 will ask some web server about this 233 00:10:49,150 --> 00:10:51,410 dislocation of this files then the ants 234 00:10:51,410 --> 00:10:53,060 were of the scene sister will be like 235 00:10:53,060 --> 00:10:56,630 this so air or air charge collector or 236 00:10:56,630 --> 00:10:58,730 any key is there you know offset in the 237 00:10:58,730 --> 00:11:01,730 binary where it was generated roar in 238 00:11:01,730 --> 00:11:04,610 fact this is where I'm stopping my 239 00:11:04,610 --> 00:11:07,580 researching me guess you know mr. Ross 240 00:11:07,580 --> 00:11:08,810 and yesterday on the Symantec 241 00:11:08,810 --> 00:11:10,430 presentation how there was in hauling 242 00:11:10,430 --> 00:11:12,410 really good jobs in holding the zero 243 00:11:12,410 --> 00:11:15,320 access it's a huge success but you know 244 00:11:15,320 --> 00:11:18,460 I don't want to think all these botnets 245 00:11:18,460 --> 00:11:21,560 because you know if I'll try to do this 246 00:11:21,560 --> 00:11:24,710 then I will you know immediately to get 247 00:11:24,710 --> 00:11:27,080 charges for the Block in the judgment 248 00:11:27,080 --> 00:11:29,600 and he is that the technical information 249 00:11:29,600 --> 00:11:32,180 that could be publicly available but no 250 00:11:32,180 --> 00:11:34,700 for the steps and well of course I'm 251 00:11:34,700 --> 00:11:36,110 continuing my research you can trying to 252 00:11:36,110 --> 00:11:38,510 fight another zero days that should be 253 00:11:38,510 --> 00:11:38,889 used 254 00:11:38,889 --> 00:11:41,470 the explanation of abilities to install 255 00:11:41,470 --> 00:11:44,559 this kind of malware but you know no 256 00:11:44,559 --> 00:11:46,720 active research right now about the 257 00:11:46,720 --> 00:11:50,109 hockey team the other story 258 00:11:50,109 --> 00:11:54,220 this is story about the finisher well 259 00:11:54,220 --> 00:11:56,439 this is much more sophisticated malware 260 00:11:56,439 --> 00:11:59,019 than hacking team and for example if you 261 00:11:59,019 --> 00:12:01,720 know some techniques that can be used to 262 00:12:01,720 --> 00:12:04,209 prove you know to block the researcher 263 00:12:04,209 --> 00:12:06,100 to avoid the detection then this 264 00:12:06,100 --> 00:12:10,329 technique is available in the contrition 265 00:12:10,329 --> 00:12:12,489 my way it's a boot kit is it's 266 00:12:12,489 --> 00:12:14,559 virtualized it's a post kata several 267 00:12:14,559 --> 00:12:17,470 layers of encryption so it took me about 268 00:12:17,470 --> 00:12:19,480 the one month to you see you know to 269 00:12:19,480 --> 00:12:22,059 look at the exactly clean binary and and 270 00:12:22,059 --> 00:12:23,859 it asked my colleagues to help me with 271 00:12:23,859 --> 00:12:26,949 that because it's too much job to do but 272 00:12:26,949 --> 00:12:30,009 but at the end we were you know clean 273 00:12:30,009 --> 00:12:32,350 their will clean all the stuff and 274 00:12:32,350 --> 00:12:34,839 cynical so what is it about well the 275 00:12:34,839 --> 00:12:36,220 first of all the methods of propagation 276 00:12:36,220 --> 00:12:40,989 so there were a lot of documents about 277 00:12:40,989 --> 00:12:43,329 the finfisher on the Vic Alex and I 278 00:12:43,329 --> 00:12:45,160 describing the physical access and 279 00:12:45,160 --> 00:12:47,230 physical by way of installation of this 280 00:12:47,230 --> 00:12:49,899 malware at the same time would discover 281 00:12:49,899 --> 00:12:52,329 the social engineering techniques for 282 00:12:52,329 --> 00:12:55,540 in-store installation and one one and 283 00:12:55,540 --> 00:12:58,329 one was really you know funny because I 284 00:12:58,329 --> 00:13:02,499 saw that that malware was detected on 285 00:13:02,499 --> 00:13:05,589 some you know web sites in the name and 286 00:13:05,589 --> 00:13:07,809 the file name of the malware was the 287 00:13:07,809 --> 00:13:10,629 flash update that X Z so when of course 288 00:13:10,629 --> 00:13:12,610 I go to this website and it's close 289 00:13:12,610 --> 00:13:15,429 nothing over there but you know it's 290 00:13:15,429 --> 00:13:18,519 really hard to hide in the Internet so 291 00:13:18,519 --> 00:13:22,689 the main tools screenshot make it 292 00:13:22,689 --> 00:13:25,480 screenshot of this domain when it was 293 00:13:25,480 --> 00:13:27,519 actually propagating the finfisher 294 00:13:27,519 --> 00:13:30,459 and you know this is domain so I see the 295 00:13:30,459 --> 00:13:32,110 content of the site and this is a 296 00:13:32,110 --> 00:13:35,829 phishing site of the news media and in 297 00:13:35,829 --> 00:13:39,100 some country let's say so the guys who 298 00:13:39,100 --> 00:13:41,049 was stalling this software was used as 299 00:13:41,049 --> 00:13:44,439 social techniques and yes 300 00:13:44,439 --> 00:13:46,809 no exports at all I couldn't find 301 00:13:46,809 --> 00:13:48,399 anything zero then not zero day 302 00:13:48,399 --> 00:13:51,170 everything is clean so 303 00:13:51,170 --> 00:13:54,709 maybe you will find it then I will you 304 00:13:54,709 --> 00:13:59,380 know shake your hand but I had black 305 00:13:59,380 --> 00:14:03,019 again functions the list of the 306 00:14:03,019 --> 00:14:04,970 functions you completely know almost the 307 00:14:04,970 --> 00:14:06,800 same as they were hacking team we're 308 00:14:06,800 --> 00:14:10,370 also forensic job but you know the most 309 00:14:10,370 --> 00:14:12,680 interesting part was the list of the 310 00:14:12,680 --> 00:14:15,620 applications that can be used to you 311 00:14:15,620 --> 00:14:17,899 know get the passwords get the emails 312 00:14:17,899 --> 00:14:20,750 and so on and maybe some of you don't 313 00:14:20,750 --> 00:14:23,839 know but if in some malware you've got 314 00:14:23,839 --> 00:14:25,820 the Opera browser you've got the bad 315 00:14:25,820 --> 00:14:29,000 email client client must execute 316 00:14:29,000 --> 00:14:32,300 messenger and to speak then that means 317 00:14:32,300 --> 00:14:35,690 that only one country let's say an 318 00:14:35,690 --> 00:14:39,019 exersaucer country this for software got 319 00:14:39,019 --> 00:14:41,600 really popular that's why when we 320 00:14:41,600 --> 00:14:45,170 received this map you know we wasn't 321 00:14:45,170 --> 00:14:49,250 surprised but I am from Moscow from 322 00:14:49,250 --> 00:14:53,300 Russia and I was surprised because for 323 00:14:53,300 --> 00:14:54,709 example the first presentation and 324 00:14:54,709 --> 00:14:56,570 really said that in Russia we got the 325 00:14:56,570 --> 00:14:59,660 big system called Seoul for monitoring 326 00:14:59,660 --> 00:15:02,269 all activity on the Internet and the 327 00:15:02,269 --> 00:15:04,310 telephones and so on and you know 328 00:15:04,310 --> 00:15:08,089 there's really no need to install the 329 00:15:08,089 --> 00:15:11,990 kind of tools so we had the three main 330 00:15:11,990 --> 00:15:14,870 theories first of all some police 331 00:15:14,870 --> 00:15:18,230 department bought this two second theory 332 00:15:18,230 --> 00:15:22,100 this is their correct versions of this 333 00:15:22,100 --> 00:15:24,949 too because we and with the finfisher 334 00:15:24,949 --> 00:15:26,449 and we're hiking team we got you know 335 00:15:26,449 --> 00:15:28,760 some samples that looks like cracked and 336 00:15:28,760 --> 00:15:31,790 the third theory that some are the 337 00:15:31,790 --> 00:15:33,529 government are spying on the russian 338 00:15:33,529 --> 00:15:36,380 citizen so we started to look at the 339 00:15:36,380 --> 00:15:39,279 truth and the truth was you know 340 00:15:39,279 --> 00:15:42,199 completely different so all this 341 00:15:42,199 --> 00:15:44,990 detection what we see in this map from 342 00:15:44,990 --> 00:15:46,750 robots 343 00:15:46,750 --> 00:15:50,870 you know this cyber and growl russians 344 00:15:50,870 --> 00:15:53,709 and underground are providing no several 345 00:15:53,709 --> 00:15:56,449 services to other cyber criminals like 346 00:15:56,449 --> 00:15:59,420 affiliate networks for checking 347 00:15:59,420 --> 00:16:01,190 detections it's like very subtle 348 00:16:01,190 --> 00:16:03,160 actually but for the underground using 349 00:16:03,160 --> 00:16:04,940 so and all 350 00:16:04,940 --> 00:16:07,780 victims which is located in Russia 351 00:16:07,780 --> 00:16:11,750 running the virtual machines only they 352 00:16:11,750 --> 00:16:16,670 are using travel issues of Avis and they 353 00:16:16,670 --> 00:16:19,010 detected several ten thousands malware a 354 00:16:19,010 --> 00:16:23,720 day so this is Robert but let's back to 355 00:16:23,720 --> 00:16:28,310 the Mexico the story there was that the 356 00:16:28,310 --> 00:16:31,880 US authorities was catching the narco 357 00:16:31,880 --> 00:16:36,950 boss in the sea they took the boat where 358 00:16:36,950 --> 00:16:40,190 was a several the several kilograms of 359 00:16:40,190 --> 00:16:43,810 kana cortex by using the spyware and 360 00:16:43,810 --> 00:16:47,440 this you know it brings us the good news 361 00:16:47,440 --> 00:16:52,010 because if mr. Morgan is telling that a 362 00:16:52,010 --> 00:16:54,500 lot of cases connected with the fight 363 00:16:54,500 --> 00:16:56,180 again the human rights activist 364 00:16:56,180 --> 00:16:59,090 pro-democratic activist but this case 365 00:16:59,090 --> 00:17:01,760 you know is like making balance between 366 00:17:01,760 --> 00:17:05,209 the good ways of using the malware and 367 00:17:05,209 --> 00:17:08,930 the bad ways and actually you know this 368 00:17:08,930 --> 00:17:10,819 is really ridiculous 369 00:17:10,819 --> 00:17:16,930 in fact because the malware saves life 370 00:17:17,410 --> 00:17:22,540 that's it so how can they do with it 371 00:17:22,540 --> 00:17:26,300 okay so once again what you can do in 372 00:17:26,300 --> 00:17:28,040 what that's what I was looking when I 373 00:17:28,040 --> 00:17:31,100 was was looking when I was looking in 374 00:17:31,100 --> 00:17:34,100 the coat the Western era with the hockey 375 00:17:34,100 --> 00:17:36,650 team you know ability to execute their 376 00:17:36,650 --> 00:17:39,590 any code I was trying to find this 377 00:17:39,590 --> 00:17:43,700 functional in the efficient and I didn't 378 00:17:43,700 --> 00:17:47,630 found it so the protocol you know 379 00:17:47,630 --> 00:17:50,060 make conversation with the c2 server is 380 00:17:50,060 --> 00:17:52,340 using the up codes and it is really hard 381 00:17:52,340 --> 00:17:54,560 you know to know when he got the binary 382 00:17:54,560 --> 00:17:56,900 code it's really hard to analyze it but 383 00:17:56,900 --> 00:17:59,450 I've done everything but I can but I 384 00:17:59,450 --> 00:18:01,730 didn't find this up codes and the le 385 00:18:01,730 --> 00:18:07,610 possibilities acute codes but the 386 00:18:07,610 --> 00:18:10,929 think Fisher developers got you know 387 00:18:10,929 --> 00:18:14,509 challenge they've got the malware for 388 00:18:14,509 --> 00:18:17,470 for all available fur performs popular 389 00:18:17,470 --> 00:18:21,379 Windows Mac and Android and we have 390 00:18:21,379 --> 00:18:24,409 their malware from the free picture for 391 00:18:24,409 --> 00:18:26,869 the Android and you know that the aedra 392 00:18:26,869 --> 00:18:28,610 malware is much more easier for 393 00:18:28,610 --> 00:18:31,279 researching and its side of this jar 394 00:18:31,279 --> 00:18:34,759 file apk files there was a class that 395 00:18:34,759 --> 00:18:37,759 was fully described fully described they 396 00:18:37,759 --> 00:18:40,220 all functions are up course with malware 397 00:18:40,220 --> 00:18:43,009 can you know say to the c2 server and 398 00:18:43,009 --> 00:18:45,830 what si tu savais can answer and inside 399 00:18:45,830 --> 00:18:48,320 of this config file inside of this 400 00:18:48,320 --> 00:18:51,139 malware the war the up chords for 401 00:18:51,139 --> 00:18:54,289 executable files for making the remove 402 00:18:54,289 --> 00:18:56,299 shell comments allowed to execute 403 00:18:56,299 --> 00:18:59,629 anything you want so that means then 404 00:18:59,629 --> 00:19:01,279 malware can fish' 405 00:19:01,279 --> 00:19:04,669 can execute the anything but we don't 406 00:19:04,669 --> 00:19:07,009 have a sample so right now the theory is 407 00:19:07,009 --> 00:19:10,369 that somewhere exists the premium 408 00:19:10,369 --> 00:19:13,070 version of the finfisher 409 00:19:13,070 --> 00:19:17,749 that can do anything but we got no 410 00:19:17,749 --> 00:19:24,590 samples well summary it's a focus to get 411 00:19:24,590 --> 00:19:25,129 my wallet 412 00:19:25,129 --> 00:19:28,070 malware and how I learned this well if 413 00:19:28,070 --> 00:19:29,749 it took several months it's a 414 00:19:29,749 --> 00:19:33,559 sophisticated no we're trying to avoid 415 00:19:33,559 --> 00:19:34,869 detection 416 00:19:34,869 --> 00:19:37,429 working with their drivers several ways 417 00:19:37,429 --> 00:19:41,029 of you know bypass the hips policies by 418 00:19:41,029 --> 00:19:43,519 several methods of injection decodes in 419 00:19:43,519 --> 00:19:46,489 the several processes they use the 420 00:19:46,489 --> 00:19:48,769 really hard associated techniques in so 421 00:19:48,769 --> 00:19:51,679 on they've got the freeways of 422 00:19:51,679 --> 00:19:55,190 installations there we see the several 423 00:19:55,190 --> 00:19:58,159 hundred infection we are our cloud 424 00:19:58,159 --> 00:20:02,139 solutions and what we should do 425 00:20:02,139 --> 00:20:04,999 well mr. Andrew Lee and his first 426 00:20:04,999 --> 00:20:08,590 presentation was asking us the questions 427 00:20:08,590 --> 00:20:13,029 so you know I I didn't have the right 428 00:20:13,029 --> 00:20:17,570 answers but you know I cannot recommend 429 00:20:17,570 --> 00:20:20,179 you anything because but I think it 430 00:20:20,179 --> 00:20:20,870 could be 431 00:20:20,870 --> 00:20:28,640 nice if the law enforcement will not use 432 00:20:28,640 --> 00:20:32,900 the remote methods of installation 433 00:20:32,900 --> 00:20:36,049 dismembered only by physical access no 434 00:20:36,049 --> 00:20:39,770 way exploits no social tricks no access 435 00:20:39,770 --> 00:20:43,279 through the ESPYs just a physical access 436 00:20:43,279 --> 00:20:47,360 and during this physical access the law 437 00:20:47,360 --> 00:20:51,770 enforcement can you know use the DRM 438 00:20:51,770 --> 00:20:54,799 technologies so the mailman couldn't be 439 00:20:54,799 --> 00:20:56,779 you know copied to another computer and 440 00:20:56,779 --> 00:20:59,659 then while the physical access please 441 00:20:59,659 --> 00:21:06,440 remove the a/v that's it you know I'm 442 00:21:06,440 --> 00:21:09,710 really you know I can explain customers 443 00:21:09,710 --> 00:21:12,590 why the software didn't help him to deal 444 00:21:12,590 --> 00:21:15,980 with my way because we you know with 445 00:21:15,980 --> 00:21:18,470 software you know you can walk you can 446 00:21:18,470 --> 00:21:21,289 work without the hard way so that's it 447 00:21:21,289 --> 00:21:24,289 and then you know I understand that for 448 00:21:24,289 --> 00:21:25,760 law enforcement it's really you know 449 00:21:25,760 --> 00:21:27,289 hard trick because they need you know 450 00:21:27,289 --> 00:21:30,260 making they can know do know the 451 00:21:30,260 --> 00:21:33,169 location of the suspect so maybe they 452 00:21:33,169 --> 00:21:35,419 should build a big big monitoring system 453 00:21:35,419 --> 00:21:38,899 which wouldn't read the whole content 454 00:21:38,899 --> 00:21:44,870 what all citizens reading of writing but 455 00:21:44,870 --> 00:21:47,210 just you know click the sources that for 456 00:21:47,210 --> 00:21:50,510 example this email was send it from this 457 00:21:50,510 --> 00:21:53,210 IP address and the PD address located 458 00:21:53,210 --> 00:21:56,390 over here and then by physical access 459 00:21:56,390 --> 00:22:00,260 they can delete every install the 460 00:22:00,260 --> 00:22:03,529 malware and that's it but once again 461 00:22:03,529 --> 00:22:10,490 it's my opinion only well 462 00:22:10,490 --> 00:22:13,880 in fact this is the end of my 463 00:22:13,880 --> 00:22:19,640 presentation my research but you know it 464 00:22:19,640 --> 00:22:22,310 is a really nice conference I really 465 00:22:22,310 --> 00:22:24,050 like the presentation so I won't think 466 00:22:24,050 --> 00:22:26,360 thank you all friend presented 467 00:22:26,360 --> 00:22:30,260 organization team all participants so I 468 00:22:30,260 --> 00:22:33,200 can I can't you know allow me to end 469 00:22:33,200 --> 00:22:35,240 this presentation with such you know you 470 00:22:35,240 --> 00:22:38,360 know many thoughts negative way what we 471 00:22:38,360 --> 00:22:41,720 should do and so on so I'd like to 472 00:22:41,720 --> 00:22:47,780 entertain you and tell you my story 473 00:22:47,780 --> 00:22:52,720 about my feelings during this research I 474 00:22:52,720 --> 00:22:58,310 was really down because they smell well 475 00:22:58,310 --> 00:23:01,940 you know I have they some ethics and 476 00:23:01,940 --> 00:23:04,220 brains so my brains taught me to do 477 00:23:04,220 --> 00:23:07,160 several things but we can do with the 478 00:23:07,160 --> 00:23:11,000 cybercriminals games and I was really 479 00:23:11,000 --> 00:23:13,490 down and when I wrote the stories from 480 00:23:13,490 --> 00:23:15,140 the Morgan about how this Melville was 481 00:23:15,140 --> 00:23:17,780 used it was terrible so it was a 482 00:23:17,780 --> 00:23:18,950 nightmare for me 483 00:23:18,950 --> 00:23:24,110 I didn't slept smoke drink a lot of 484 00:23:24,110 --> 00:23:27,950 alcohol my wife asked me to you know to 485 00:23:27,950 --> 00:23:30,950 eat something so it was a nightmare but 486 00:23:30,950 --> 00:23:33,110 then my friend sent me some link to the 487 00:23:33,110 --> 00:23:36,080 British comedian it was really funny so 488 00:23:36,080 --> 00:23:38,390 I decided to no to deal with my feelings 489 00:23:38,390 --> 00:23:40,220 and to do something to back to the 490 00:23:40,220 --> 00:23:48,610 normal life so I decided to write a song 491 00:23:49,800 --> 00:23:53,850 and the song is about the malware the 492 00:23:53,850 --> 00:23:57,420 law-enforcement the AVS about everything 493 00:23:57,420 --> 00:24:05,660 about all my feelings enjoy 494 00:24:15,470 --> 00:24:19,379 for junga the heater and malware created 495 00:24:19,379 --> 00:24:20,990 for life 496 00:24:20,990 --> 00:24:23,240 I think I'll never ever get you relieved 497 00:24:23,240 --> 00:24:26,820 but today they come to visit 498 00:24:26,820 --> 00:24:31,290 the time let's go I think I do 499 00:24:31,290 --> 00:24:35,220 irony Walter 500 00:24:57,100 --> 00:25:00,559 to reversing bias to moving you next 501 00:25:00,559 --> 00:25:02,690 time on your ministry you will be 502 00:25:02,690 --> 00:25:06,220 arrested and put in jail 503 00:25:32,769 --> 00:25:36,309 something wrong 504 00:25:39,309 --> 00:25:42,710 the two response because on the 505 00:25:42,710 --> 00:25:46,179 grapevines can imagine 506 00:25:56,020 --> 00:25:59,530 stays out reasoning and friendship from 507 00:25:59,530 --> 00:26:02,320 your carpets clients so maybe you should 508 00:26:02,320 --> 00:26:04,210 create a job like you better act like 509 00:26:04,210 --> 00:26:07,680 yourself you crazy 510 00:26:23,610 --> 00:26:27,178 the kitchen the bar 511 00:26:50,680 --> 00:26:55,660 thank you questions thanks EJ yeah he's 512 00:26:55,660 --> 00:26:56,860 gonna follow that up if they're in a 513 00:26:56,860 --> 00:26:58,360 singsong voice for a question come on 514 00:26:58,360 --> 00:27:06,400 who's next any questions out there one 515 00:27:06,400 --> 00:27:09,450 question just in here here comes the mic 516 00:27:09,450 --> 00:27:12,550 hello representation just out of 517 00:27:12,550 --> 00:27:13,600 curiosity 518 00:27:13,600 --> 00:27:16,240 f-secure among couple other players have 519 00:27:16,240 --> 00:27:19,330 made the proclamation that we will 520 00:27:19,330 --> 00:27:21,490 detect all marver no matter from which 521 00:27:21,490 --> 00:27:23,650 police even in finish do you know what's 522 00:27:23,650 --> 00:27:26,020 the Kaspersky's official standing stands 523 00:27:26,020 --> 00:27:29,200 on this can you please repeat the 524 00:27:29,200 --> 00:27:32,740 question so thanks so basically what we 525 00:27:32,740 --> 00:27:35,050 do is that we have made a claim that we 526 00:27:35,050 --> 00:27:37,780 will detect all malware no matter who is 527 00:27:37,780 --> 00:27:42,120 using it yeah yep so well you know we 528 00:27:42,120 --> 00:27:46,390 got the big big automatic systems and we 529 00:27:46,390 --> 00:27:48,940 really you know the robots do you know 530 00:27:48,940 --> 00:27:51,400 anything about the hacking team and this 531 00:27:51,400 --> 00:27:55,330 song so actually you know we hadn't you 532 00:27:55,330 --> 00:27:56,170 know right 533 00:27:56,170 --> 00:27:59,170 you know orders to stop blocking it we 534 00:27:59,170 --> 00:28:00,550 don't have them maybe they're an 535 00:28:00,550 --> 00:28:02,890 official way some law enforcement are 536 00:28:02,890 --> 00:28:04,990 coming to us during some conference and 537 00:28:04,990 --> 00:28:07,210 asking you know maybe we should allow 538 00:28:07,210 --> 00:28:09,640 them it's a blue case it's a really big 539 00:28:09,640 --> 00:28:12,400 case so we're saving lives so maybe we 540 00:28:12,400 --> 00:28:14,710 should like but we said okay so well 541 00:28:14,710 --> 00:28:17,760 good but I can you know fight with 542 00:28:17,760 --> 00:28:21,340 infrastructure so this is like the roof 543 00:28:21,340 --> 00:28:23,260 so this is the way how we didn't put it 544 00:28:23,260 --> 00:28:25,720 so we are working we are doing what job 545 00:28:25,720 --> 00:28:29,740 and what what else what do you need from 546 00:28:29,740 --> 00:28:36,100 us good aspect Thanks so with that we 547 00:28:36,100 --> 00:28:38,500 wrap up today's session of if you don't 548 00:28:38,500 --> 00:28:40,180 like to raising hands one more time for 549 00:28:40,180 --> 00:28:41,110 the surgery for his excellent 550 00:28:41,110 --> 00:28:42,100 presentation 551 00:28:42,100 --> 00:28:44,159 you